Discovered first Win trojan to serve banking Android malware on mobile

Pierluigi Paganini January 25, 2014

Symantec experts recently came across a Windows malicious code that attempts to infect connected Android devices serving an Android malware.

Researchers at Symantec antivirus firm have discovered a malicious code that is able to infect Android mobile device with a banking malware during synchronization. The Android malware that was designed to hit Windows user could compromise user’s Smartphone during file transfer, device syncing and backup management operation.

The infection process starts with a trojan, dubbed by security experts Trojan.Droidpak, that drops a malicious DLL and it registers it as a system service. Droidpak then  downloads a configuration file from the following remote server:

http://xia2.dy[REMOVED]s-web.com/iconfig.txt

The file contains the information to download a malicious APK and storing it to the following location on the infected PC:

%Windir%\CrainingApkConfig\AV-cdk.apk

The Android malware detected by the analysts  seems to be specifically designed for the Korean population because the malicious APK searches for certain Korean online banking applications on the infected device.

The communication between the mobile device and the compromised PC is realized by a software bridge called Android Debug Bridge (ADB), it is a command line tool that allows the malicious code to execute commands on Android Smartphone connected to the infected computer.

Android malware

The Android Debug Bridge is a legitimate tool included in the Android software development kit (SDK), when victim connect an Android device having USB debugging Mode enabled, it launches installation process and infect the Smartphone dropping the Android Malware. Once the Android malware has infected the device, it installs an app that will appear as a Google App Store.

Android malware fake app

Android is the most targeted OS by cyber criminals because its large diffusion, numerous families of malware were created in 2013 to hit mobile users and an increasing number of hack tools was available in the underground to hack such powerful platform.

The peculiarity of Trojan.Droidpak is that for the first time a Windows malware was used to install a banking trojan on a mobile device.
The banking trojan, dubbed as Android.Fakebank.B, implements common features of this category of malware, including SMS interception and “MITM capabilities”. Researchers at Symantec discovered that the Android.Fakebank.B malware sends back data to the following attacker’s server:
http://www.slmoney.co.kr[REMOVED]
The experts provided a few suggestions to protect the user’s system from the Android malware while connecting to a windows based computer:
  • Turn off USB debugging on your Android device, when you are not using it
  • Avoid connecting your droid with public computers
  • Only Install reputable security software
  • Keep your System, Softwares and Antivirus up-to-date.

[adrotate banner=”9″]

 

Pierluigi Paganini

(Security Affairs –  Android Malware, Banking trojan)



you might also like

leave a comment